SecureMac, Inc.

Checklist 139: 2FA 101

May 23, 2019

We mention two-factor authentication quite a bit, but it’s been a while since we took a close look. On this week’s Checklist by SecureMac: Different types of authentication, What kinds of accounts should employ it, and August tells a 2FA tale.

Checklist 139: 2FA 101

Two-factor authentication, or 2FA — we mention it a lot, but do you ever find yourself wondering what it’s all about, what you should know, and what you should do about it? It’s been a while since The Checklist took a deep dive into the subject, but never fear: this week, we’re going over everything you need to know about 2FA again so that you are well prepared to secure your accounts and stay safer on many of the most common places you might go online. For this special discussion, we’re ticking these boxes on our list today:

  • The Different Types of Authentication
  • 2FA Saves the Day

You may also hear the term “MFA” (Multi-Factor Authentication); 2FA is a subset of MFA, and much of what we’ll discuss today applies to MFA as well.  So let’s not waste any time in getting started on a dissection of this vital security topic. Let’s start by knocking out some definitions and then talking about what they really mean for us as users.

The Different Types of Authentication

Like a high schooler’s term paper, let’s start with some definitions. Merriam-Webster defines authentication this way:

An act, process, or method of showing something (such as an identity, a piece of art, or a financial transaction) to be real, authentic, or genuine.

That’s not nearly specific or clear enough for our purposes here today — it’s just a little bit dry. Let’s instead turn to the trustworthy Techopedia, which defines authentication this way:

In the context of computer systems, authentication is a process that ensures and confirms a user’s identity. Authentication is one of the five pillars of information assurance (IA). The other four are integrity, availability, confidentiality and nonrepudiation.

We might dive into those other four pillars in a future episode, but for today we’ll focus exclusively on authentication — which we might note is separate from authorization. Authorization is a specific permission to do a thing or access a place. You may be authenticated, but you may not be authorized, and authentication is usually a prerequisite for authorization. Knowing that, let’s keep digging into authentication.

We authenticate ourselves daily — when you type in your password to a website, you’re authenticating that you are the person who owns that username. So why do we need two factors to authenticate ourselves these days, when passwords alone have been the go-to for so long? 

Two is better than one — it’s as simple as that. If you have something valuable you want to protect, two separate locks opened by different keys is always going to be a safer, more secure option than just one barrier. When you only use one factor, you’re just one step away from someone breaking into the account. Data breaches that compromise reused passwords are the most common cause of these types of intrusions — but two factor would still allow your account to remain protected even with the compromised password floating around out there. (Note: that doesn’t mean 2FA is a substitute for strong passwords or an excuse for re-use).

Passwords are a part of the most common type of authentication factor, but there are actually three different types to consider: knowledge factors, ownership factors, and inherence factors. There’s an easier way to remember that, though:

Knowledge is something you know — a password, for example. PINS and secret question answers are also good examples. Knowledge factors should be information that only you know. Two knowledge factors are not usually the most secure choice, though; it is more secure, but with all the information we put online these days, social engineering makes acquiring multiple knowledge factors too easy. That’s why it’s best paired with one of the other two types, or when you can rely on unique and time-limited knowledge (like a code sent to your phone). 

Ownership is something you have — the best example would be your debit or ATM card you use to withdraw cash from the bank. You know your PIN, and you have your card, and without the combination of both those things, you cannot authenticate yourself to the bank. Physical security dongles, such as the RSA SecurID of yesteryear, are also ownership factors. Today, these dongles have been phased out for phone-based apps like Google Authenticator; in this case, your phone is your ownership factor.

Inherence is something you are — we see this factor in use a lot more today. This usually refers to anything biometric, such as your face, fingerprint, retina, and so on. These factors are typically so unique that they are one of the strongest ways to authenticate, but they do raise privacy concerns as you must store this very critical data about yourself with a third party you trust. That’s why Apple stresses that your biometric data never actually leaves your device.

While all this is excellent and can help keep us much safer, there are still reasons why some people choose not to use 2FA. What are the pain points that are keeping people from enhancing their own security? 

From a user’s perspective, it’s all about the extra step. Yes, it does mean you will need to take a few extra seconds to log in, and yes, you’ll often have to find your phone to log in. Consider the consequences otherwise, though: a few seconds now, or the risk of potential identity theft or a privacy breach? It’s not a scare tactic — it’s just the way things are. Worrying about getting locked out of your accounts is normal, too, but with best practices, you should rarely ever run into that kind of situation.

From a security standpoint, the problem with 2FA is people. It’s easier to manipulate a person than it is to manipulate a computer, and with hackers always looking for vulnerable weak points, it still takes some vigilance to make 2FA work well. However, it’s far better than the alternative — and 2FA systems are getting better all the time.

So, what accounts of yours should use two-factor authentication?

This question has a quick and easy answer, and it doesn’t involve any definitions or long explanations: all of them. If you can use two-factor on an account, there is really no good reason not to enable it. Consider this: how often are you logging in and out of your accounts anyway? In most cases, we’re using our devices at home and rarely on ever on a public machine; your cookies will probably keep you logged in most of the time. That means punching in your two-factor code only comes into play when you log out or use a different computer. 

Your bank, your email, your online shopping accounts, even social media — if it’s there, turn it on. If it isn’t, ask! Find a contact email and start bugging your favorite services to enable two-factor authentication for a safer, more secure experience not only for you, but all the other users of the service. We can’t stress this enough: it is worth it!

2FA Saves the Day

Let’s pivot to a real-world example now, courtesy of our very own host, August Trometer. He once had an experience that perfectly encapsulates why turning on and using two-factor authentication is so critically important.

My Twitter handle is @August — a handle you can imagine might be valuable to a lot of other people, since it’s just a regular word and there are companies and other entities called August. None of them had anything to do with this, just some kid with too much time on his hands — but this kid had gleaned enough information about me from various sources online that he even knew my mobile phone number. 

So, I’m off doing something one night, and I get a text message that basically says “Hey, I’m going to steal your Twitter account to make a few bucks selling it. You should just give me access instead, or I’m going to release private information about you and your family online.”

I knew that I had two-factor authentication turned on, so I wasn’t concerned about losing access to the account. I replied with a response that charitably boils down to “bring it,” and so he did, putting up an infodump on a site used for sharing code and so on; the amount of information he gathered was almost impressive, including obscure details such as my father’s wife’s daughters, including their email addresses, some passwords, and even Social Security numbers. That’s the kind of data that makes identity theft pretty easy.

They tried to use this info to socially engineer their way into other accounts, calling Apple and others to try and get information changed for a takeover. Simply put, 2FA saved me from a ton of hassle and headaches dealing with this kid, since he was never able to successfully take over any of my accounts. In response, I went through and not only changed every single password, but every email associated with every account, too. If you’ve been using the same email on valuable accounts for a while, now is a good time to think about changing those just in case!

That’s all we have for you about 2FA, and we hope this week’s journey has been an illuminating one for you. Before we close out the show, a little bit of background on this week’s topic: this was actually the subject of a talk we presented recently at the Silicon Valley Macintosh/Apple User Group, based in Mountain View. Thanks to Lynda and Charles for inviting the Checklist team to come and give this talk — we fielded lots of excellent questions on two factor and had a lot of fun!

Are you a member of a similar type of user group? Don’t forget to check out our very own user group program for partners. SecureMac provides everything your group will need to present products such as PrivacyScan and MacScan aimed at keeping you and your Mac safer. Send an email to Checklist@SecureMac.com with the subject line “User Group Info” to find out more about how you can obtain keynotes, white papers, special discounts, and even enter into fun giveaways! 

Get the latest security news and deals